Skip to content

Extra

Jump to bottom
Alexandre Perlmutter edited this page Jul 28, 2023 · 1 revision

Work with OVH registered domains

To use cert-manager with OVH, we advise you to use the cert-manager-webhook-ovh by @aureq.

  1. Add the helm chart repo
helm repo add cert-manager-webhook-ovh-charts https://aureq.github.io/cert-manager-webhook-ovh
helm repo update

  1. Download and fill values.yaml

  2. Install the webhook

helm upgrade --install --namespace cert-manager -f values.yaml cm-webhook-ovh cert-manager-webhook-ovh-charts/cert-manager-webhook-ovh
  1. Let the webhook container run as root
oc adm policy add-scc-to-user anyuid -z cm-webhook-ovh-cert-manager-webhook-ovh -n cert-manager
  1. Update and apply the following YAML to give sufficient permissions to the webhook SA
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: 'cm-webhook-ovh-cert-manager-webhook-ovh:secret-reader'
  namespace: <CERT-MANAGER_NAMESPACE>
rules:
  - verbs:
      - get
      - watch
    apiGroups:
      - ''
    resources:
      - secrets
    resourceNames:
      - <OVH_CREDENTIALS_SECRET_NAME>
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: 'cm-webhook-ovh-cert-manager-webhook-ovh:secret-reader'
  namespace: <CERT-MANAGER_NAMESPACE>
subjects:
  - kind: ServiceAccount
    name: cm-webhook-ovh-cert-manager-webhook-ovh
    namespace: <CERT-MANAGER_NAMESPACE>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: 'cm-webhook-ovh-cert-manager-webhook-ovh:secret-reader'

Work with Azure hosted clusters

If your OCP cluster is hosted on Azure, the OCP installer will have configured the DNS to lookup your cluster's hostname in your Azure private DNS zone. Hence, cert-manager won't be able to find the authoritative nameserver for routes that use your cluster's hostname.

These are the steps to follow to tell cert-manager not to use your cluster's DNS (assuming you are using cert-manager Operator for Red Hat OpenShift):

  1. Go to the cert-manager Operator for Red Hat OpenShift
  2. Click on the CertManagers tab
  3. Select the cluster instance
  4. Edit the YAML to append the following spec:
spec:
  ...
  controllerConfig:
    overrideArgs:
      - '--dns01-recursive-nameservers-only'
      - '--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53'
Clone this wiki locally